A Quick Guide to Workplace Investigations


Cyber security breaches stemming from insider threats have increased consistently over the last few years. While companies seek to hire the best, brightest, and most ethical people to help make their business a success, things don’t always go as planned. Circumstances change, motivations transform, and commitment levels shift. Before you know it, what was once a trusted team member or contractor is now at the center of a situation requiring a workplace investigation. These efforts help confirm details, identify the extent of the damage, and drive subsequent action.

Having a proactive game plan is critical in surviving the often conflicting and intense climate surrounding workplace investigations. How businesses prepare for and respond to an investigation can have financial, reputational, and operational impacts on the company. For example, failing to prove an employee has stolen and sold your trade secrets to a competitor who went on to announce your idea as their own, could mean that both offending parties get away with their crime while you suffer the loss.  Here are the basics that every professional should know when it comes to workplace investigations:

What is a workplace investigation?

A workplace investigation is a process of discovering, gathering, preserving, analyzing, and reporting on evidence regarding an incident within an organization. The specific methods of the investigation can vary based on the scope and the intent. For example, an employee suspected of using your business resources to fund a terrorist attack may be treated differently from an employee that you caught sharing your business strategy with a competitor. Both offenses may warrant an investigation; however, the legal ramifications, authorities that must be involved, and other aspects will vary. Some investigations only require an internal investigation at the discretion of the company, while others may warrant bringing in law enforcement groups, legal authorities, and more. In select cases, an investigation and reporting might be mandated by law (e.g., cases involving child pornography).

When is a workplace investigation necessary?

Workplace investigations are usually initiated when an employee or contractor has violated a policy or regulation. Examples of this might include discovering employee data theft, monetary theft, conflicts of interest, privilege abuse, excessive absence, sabotage, unauthorized disclosure of information, abusive use of resources, and other violations. Also known as insider threats, employees, and contractors who engage in behaviors that put the company at risk, whether intentional or unintentional, may warrant an investigation.

When possible, conduct an investigation before taking rash actions. Doing so ensures you know the facts, understand the extent of the employee’s actions, can confirm whether they acted alone or with the help of other employees, and identify the extent of the damage. It’s important to understand these elements to take action responsibly, and also work to mitigate the risk in the future.


What are the steps in conducting workplace investigations?

  1. Contain the incident first, especially if it is a life-threatening or severe circumstance. This could involve removing employees from an area, terminating access, or other options as required.
  2. Determine if an investigation is necessary and consider what the goal is in completing one.
  3. Confirm who will lead and be involved in the investigation. Investigations take time and experienced resources to complete. Having the right expertise is critical as an ineffective investigator can completely undermine a case. In workplace investigations, internal resources may be required from various departments like technology, legal, human resources, corporate communications, and more. In addition, third parties are often involved in specialized needs like e-discovery and digital forensics.
  4. Gather evidence through interviews, device inspections, documents, and other artifacts. Evidence is a critical component in workplace investigations. Without sufficient evidence, it’s often impossible to build a solid case around what happened, discover a motive, and other elements.
  5. Analyze the evidence and make conclusions.
  6. Report findings to key stakeholders. In some cases, this may involve presenting the findings in court.
  7. Plan action based on the outcome.

When creating workplace investigation plans, keep these steps in mind and ensure the process and associated resources are documented for each.

  • Do identify qualified experts who can lead your workplace investigation needs. Navigating the world of evidence and digital forensics can be complicated, and simple rookie mistakes can thwart an entire case.
  • Do maintain chain of custody for all evidence. Ensure only authorized people have access and that every move associated with evidence is documented. Employees who know the ins and outs of your systems will go to great lengths to cover their tracks, including attempting to destroy evidence. In addition, if you are investigating one employee and others were involved that you are unaware of, they may continue to try obscuring or destroying evidence to help themselves and the employee currently under investigation.
  • Do act promptly, yet smartly. When you learn that an employee might be doing something unethical, the sting of frustration and perceived betrayal can push people the act illogically. Doing so can jeopardize the integrity of an investigation. The process should be objective and well-executed. Investigations that appear retaliatory, subjective, or unorganized can create additional complications and potential legal trouble.



  • Don’t wait until something goes wrong to start thinking about how you would handle workplace investigations. Preparing in advance, and documenting your plan can go a long way.
  • Don’t skip formal investigation when it’s necessary. Sometimes, what happened seems obvious, and a company may find it more cost-efficient to skip formally investigating. However, this leaves a gray area, stones unturned, and a limited ability to take legal action.
  • Don’t neglect technical aspects of investigation. While many think it’s easy to outsource investigations and digital forensics functions, those investigators still need data to work with. It’s essential to set up a security program that includes sufficient logging and monitoring on your network and user devices. Also, it’s vital to follow basic cyber security hygiene like having strong access management and network security. For example, if users are sharing their account logins with each other or using joint accounts, it can be challenging to distinguish who did what during an investigation.

As insider threats continue to rise, companies must pay greater attention to and prepare for workplace investigations. Creating a program to address this requires the right level of expertise, documented processes, technology, and additional resources to ensure you are ready when the inevitable happens.

Get back to the Blogs

Read the next one